Exam XSIAM-Engineer Topic 2 Question 31 Discussion

Actual exam question for Palo Alto Networks's XSIAM-Engineer exam
Question #: 31
Topic #: 2

A complex Cortex XSIAM playbook orchestrates multiple actions, including endpoint isolation via Cortex XDR, user disablement via an Azure AD integration, and ticketing via ServiceNow An incident triggers this playbook, but it consistently gets stuck in a 'Pending' state at the 'Disable User in Azure AD' task. The Azure AD integration status in XSIAM is 'Connected'. Reviewing the XSIAM internal task queues (via API/CLI if available) shows a growing backlog of 'Azure AD' related tasks. No explicit error message is immediately visible in the playbook run details, only the 'Pending' status. What are the two most likely causes for this specific bottleneck and how would you investigate them?

A. The Azure AD application registration used by XSIAM has hit its API rate limit imposed by Microsoft, causing subsequent requests to queue or be throttled. Investigate by checking Azure AD audit logs for throttling messages. B. The XSIAM tenant's 'automation engine' has reached its maximum concurrent playbook execution limit, causing tasks to queue globally. Investigate by checking XSIAM system health metrics. C. The network latency or bandwidth between the XSIAM cloud and Azure AD is intermittently high, causing API calls to time out before completion. Investigate with network performance tools from the XSIAM collector (if applicable) or a test VM in the same cloud region. D. A misconfigured 'retry' mechanism in the XSIAM Azure AD integration or playbook task is causing infinite retries for failed operations, consuming all available workers. Investigate the integration's configuration and playbook task settings. E. The Azure AD user account used by the XSIAM integration lacks sufficient permissions to disable users, but the API response is not being correctly propagated as an error. Investigate by manually performing the disable action with the integration's credentials.

Suggested Answer: A,D Vote an answer

A 'Pending' state with a growing backlog for a specific integration's tasks (Azure AD) strongly points to an issue with that integration's ability to process requests, not a general XSIAM engine limit. Hitting an external API rate limit (A) is a very common cause for queued requests to external services, as the remote API will simply stop responding or respond with a 429 status code. The XSIAM integration would then queue the requests while waiting for the rate limit to reset. Another highly probable cause is a misconfigured retry mechanism (D). If a task initially fails (e.g., due to a transient issue or even a permission error that isn't immediately surfaced as a hard failure), and the retry logic is too aggressive or doesn't back off correctly, it can exhaust the integration's available worker processes, leading to a permanent 'Pending' state for all subsequent tasks. Option B is unlikely because the issue is specific to Azure AD tasks. Option C (network latency) would typically result in timeouts with errors , not just indefinite 'Pending' states, unless the timeouts are extremely long. Option E (permission issues) would usually result in an immediate 403 Forbidden error from Azure AD, which should be reflected in the playbook logs, not just a 'Pending' state, unless the integration is designed to retry indefinitely on such errors.

by Susie at Feb 25, 2026, 01:43 AM

Limited Time Offer

15%

Off

Get Premium XSIAM-Engineer Questions as Interactive Self Test Engine or PDF

Comments

0 Satisfied Customers

0 Shares

0 Demo Downloads

10 Years in Business